- Meeting of This meeting will be streamed live. The link can be found on the Agenda frontsheet and the Reports Pack below, Overview and Scrutiny Commission, Thursday, 22nd October, 2020 10.00 am (Item 163/20)
To note whether the Chairman proposes to accept any item as urgent business pursuant to Section 100(B)(4)(b) of the Local Government Act 1972.
The Chairman bought to the attention of Members that given a recent fake email that had been sent to elected members in the name of the Leader of the Council, and the recent cybersecurity attack on Hackney Council it had given an urgent need to raise awareness to all Members around the issue of Cyber Security and initiate potential member training and future monitoring and reporting. It was especially critical given the nature of the work of the Council during the pandemic, and the fact that cyber criminals appeared to be using the current situation to target individuals and organisations.
To address the matter, the IT Manager provided a presentation to Members that covered standard countermeasures deployed by the Council, the key partnerships to cyber defence, and the resources available to assist Members should they be alerted to suspicious activity.
In addition, Members were reminded of the E-learning modules available on cybersecurity however a reminder would be sent to all Members.
Councillor Mark Kiddle-Morris raised that at the recent Governance and Audit Committee an update had been received on the number of internal audit recommendations that had not been fulfilled. It was raised that for 2017/2018 there were three cybersecurity recommendations that had not been fulfilled, along with a further three in 2018/2019 one of which related to the firewall. The IT Manager would confirm but believed that the deployment of the second firewall layer had been completed. He also informed Members that all ICT policies would be reviewed and updated over the coming 3-month period.
Councillor Kybird asked as the recent phishing email was sent from a Gmail account if Google would be responsive to having such suspicious activity reported to them and could close the account down.
The IT Manager agreed that whilst there were reporting routes into Google he was not clear on the criteria that would allow the individual account to be closed down. However, he would report back to Members with the information.
Councillor Martin informed that when he had contacted the IT Helpdesk he was informed to use the ‘report as spam’ at the bottom of the email. However, it became apparent that this was not present on the email. The IT Manager would investigate the issue further.
Councillor Nairn explained his recent experience where his bank account had been hacked and personally recommended to Members that they do not store any password or login details onto any app as he felt Apps could be subject to a data breach. He went onto recommend a website: https://haveibeenpwned.com where individuals could check if passwords and emails had been compromised. In addition, he explained to Members how to check if an email received could be a phishing email and expressed that Members should never open a hyperlink within an email as it could contain a virus. He went on to suggest a further two websites www.experian.co.uk and https://www.gov.uk/report-suspicious-emails-websites-phishing to check and report suspicious activity.
Councillor Morton asked if the Council had partnered with organisations within the private sector to widen and share experience for both the public and private sectors. Members were informed that the National Cyber Security Centre (NCSC) interacted across both public and private sectors, but that the Council were not directly involved with private organisations.
In light of the information that had been shared, the following recommendations were made:
RECOMMENDED to the GOVERNANCE & AUDIT COMMITTEE to consider what recommendations had not been fulfilled in relation to cybersecurity and an audit for the number of members and officers who had completed requisite online training.
RECOMMENDED to the MEMBER DEVELOPMENT PANEL to consider further training where appropriate for all Members in relation to cybersecurity.